Option to delay bake variable validation until first use

[rrjjvv]

Description

The current behavior, where variable validations are done prior to anything actually building, is often preferred ("fail fast") or at least inconsequential. But there are times where a target does not even use a variable, thus could/should be exempt from the validation (e.g., when you have a target responsible for creating a compliant variable value while not depending on it itself).

I have a bake file that enforces a non-latest tag in CI:

variable "CI" {
  description = "do not set; will always be 'true' in CI"
  type = string
}

variable "TAG" {
  description = "default tag to apply to all generated images"
  type = string
  default = "latest"

  validation {
    condition = TAG != "latest" || CI != "true"
    error_message = "TAG must be defined in CI"
  }
}

I have a docker buildx bake generate-version which was supposed to be responsible for calculating the value for TAG, but can't be used since TAG is not defined (despite not being referenced).

An exemption list seems logical, e.g.

variable "TAG" {
  description = "default tag to apply to all generated images"
  type = string
  default = "latest"

  validation {
    condition = TAG != "latest" || CI != "true"
    error_message = "TAG must be defined in CI"
    except = ["generate-version"]
  }
}

but a quick look at the current code suggests this would not simple.

Something like

variable "TAG" {
  description = "default tag to apply to all generated images"
  type = string
  default = "latest"

  validation {
    condition = TAG != "latest" || CI != "true"
    error_message = "TAG must be defined in CI"
    lazy = true
  }
}

would be just as useful, and maybe more doable... I didn't see any glaring/obvious reasons why that couldn't be done.

There are many workarounds, the most obvious being to fake it (e.g., TAG=fake docker buildx bake generate-version) or bypassing bake (thus its validations) altogether using raw docker buildx build --target generate-version --output out/version. But it still seemed like a useful/reasonable/expected feature, so figured I'd still open the request/idea.